HI all,
I'm creating a REST plugin to allow us to automate a few things where the JAVA API is available in Jira, but is not exposed by the existing REST plugins.
The functionality works fine, but any authenticated user can run it regardless of their role in JIRA . This is obviously not desirable.
We would like to restrict this to users who have either the 'JIRA System Administrators' or 'JIRA Administrators' role.
Does anyone have any example of a REST plugin that does this as I can't find anything in the REST documentation I've been working from that explains how to do this.
Thanks!
Community moderators have prevented the ability to post new answers.
For a fairly recent JIRA version, I suggest you use GlobalPermissionManager
in conjunction with GlobalPermissionKey
, like so:
globalPermissionManager.hasPermission(GlobalPermissionKey.ADMINISTER, user)
Thanks - I've done that, but no matter what user we test as, globalPermissionManager.hasPermission(GlobalPermissionKey.ADMINISTER, user) returns true. I'm getting the logged in user using jiraAuthenticationContext.getUser() in my constructor. I then do logger.warn("Permission: " + globalPermissionManager.hasPermission(GlobalPermissionKey.SYSTEM_ADMIN, loggedInUser)); if (globalPermissionManager.hasPermission(GlobalPermissionKey.ADMINISTER, loggedInUser)) { // Do Stuff } Every user I've asked to test with returns: 2015-06-08 11:57:44,309 ajp-bio-127.0.0.1-19041-exec-1, unique_id=ID, time=1433779064300, uri=/jira/rest/myrest/1.0/plugin WARN USERNAME foo bar 10.1.1.1,10.1.1.2,10.1.1.3 /rest/myrest/1.0/plugin [plugins.myapp.rest.MyClass] Permission: true The users are definitely not in any group associated with the JIRA System Administrators or JIRA Administrators roles under Global Permissions. I've also tried using GlobalPermissionKey.SYSTEM_ADMIN with the same result. Any idea how I'd debug that further ?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You're calling "jiraAuthenticationContext.getUser()" in the constructor?! If that is really the case, then that is the error. You have to call getUser() in each REST-method separately. The constructor is called only ONCE when installing/activating the plugin, and saving the user there is an error. You can save a reference to JiraAuthenticationContext, but NOT the logged-in user.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Ah, ok - that makes a lot of sense. *blush* - thanks loads, that's working now in each method. I was hoping to avoid per-call overhead, but it makes sense that the lib isn't instantiated for each request, so the constructor is the wrong place to do it.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.